Encryption Facility for z/OS

The Encryption Facility for z/OS (Program number: 5655-P97), first introduced in 2005, is a host based software solution designed to encrypt sensitive data before transferring it to tape for archival purposes or business partner exchange. In addition to writing encrypted data to tape, the Encryption Facility for z/OS can also be used to produce encrypted data written to disk and other removable media.

Encryption Facility for z/OS consists of two priced optional features:

The Encryption Services feature supports encrypting and decrypting certain file formats on z/OS. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. The Encryption Services feature supports both the System z format (originally introduced in Encryption Facility for z/OS V1.1) and the OpenPGP format (new with Encryption Facility for z/OS V1.2). The System z format supports hardware-accelerated compression before encryption.

Also available is the IBM Encryption Facility for z/OS Client. The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on z/OS and other platforms that needed the supported functions.

The Encryption Facility for z/OS Client consists of the following:

Java-based Client. The Java-based Client which can be used on z/OS and any platform that supports Java. The Java-based Client supports both the decryption of data that was created on a z/OS system using the Encryption Facility System z format, as well as encryption of data to be sent to a z/OS system where the file will be decrypted using the Encryption Facility System z format.
Data that is to be processed using the Java-based Client cannot be created using compression.

Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The Decryption Client for z/OS supports decryption of data that was created on a z/OS system using the Encryption Facility System z format. Data that is to be processed using the Decryption Client for z/OS can be created using compression. The Decryption Client does not support data encryption for the return trip. This option may have performance benefits and require less media for exchange purposes but does not allow your business partner to return the data to you in an encrypted format.

Encryption Facility for z/OS V1.2

With Encryption Facility for z/OS V1.2 the Encryption Services feature has been enhanced to support the OpenPGP standard, RFC 4880 (requires PTF UA67855). OpenPGP is a standard protocol for ensuring the integrity of data that can be exchanged between trusted partners. It defines the following requirements and suggested practices for data integrity:

Digital signatures for partner authentication and to help ensure that a transferred message has been sent by the party claiming to have sent the message (non-repudiation).

Data encryption using a randomly generated symmetric session key. The randomly generated session key is encrypted with public key or passphrase-based encryption and prefixed to the encrypted data.

OpenPGP certificates for the exchange of key information that can provide the data integrity service.

OpenPGP support

The Encryption Facility for OpenPGP support is intended to provide you even more choice and flexibility for doing business partner data exchanges -- giving you the ability to leverage one or more of these options for handling business partner data exchanges. You now have the flexibility to choose the option that best suits your needs and some of these options do not require your business partners to purchase new storage hardware, have a mainframe or run z/OS.

The Encryption Facility for OpenPGP support is designed to comply with OpenPGP standard requirements and is designed to be compatible with other products that are OpenPGP (RFC 4880)-compliant. This support allows you to exchange an encrypted, compressed, and/or digitally signed file between your internal data centers using the Encryption Facility for OpenPGP support in conjunction with your external business partners and vendors who have an installed OpenPGP (RFC 4880)-compliant client running on z/OS and other operating systems. The Encryption Facility for OpenPGP support includes the mandatory/must-do's identified in the OpenPGP standard (RFC 4880).

The Encryption Facility for OpenPGP support includes, but is not limited to:

Notes:

These functions can leverage the Integrated Cryptographic Services Facility (ICSF) and H/W cryptography. H/W cryptography requires the correct environment and may require a Cryptographic module to be installed.

The symmetric algorithms are not fully implemented in the H/W. The symmetric algorithms listed require an update to ICSF that will be provided with general availability of Encryption Facility for z/OS V1.2.

The zEnterprise Data Compression (zEDC) requires the zEDC Express feature (FC#0420) and zEC12 (with Driver 15E) or zBC12 with one coprocessor per PCIe I/O feature. This support also requires the IBM 31-bit SDK for z/OS, Java Technology Edition, Version 7 Release 1 or later and z/OS V2.1 with zEDC for z/OS feature.

Encryption Facility for OpenPGP is also able to leverage X.509 standards for public key infrastructure (PKI) to extend the basis of trust for OpenPGP environments. Encryption Facility for OpenPGP also allows you to leverage the existing security facilities of z/OS to help provide a security-rich and scalable OpenPGP client.

For example, with Encryption Facility for OpenPGP you can do the following:

Use as input or output HFS/zFS files or z/OS partitioned (PDS and PDS/E) or sequential data sets

Perform cryptographic acceleration with certain kinds of System z hardware

To implement Encryption Facility for OpenPGP services, you must use the IBM Java Development Kit.

With the addition of the Encryption Facility for OpenPGP support in V1.2, you now have two formats to choose from for handling your encryption needs when doing business partner data exchanges or for data exchanges within your own enterprise. The Encryption Facility System z format, first introduced in the Encryption Services feature in Encryption Facility for z/OS V1.1, continues to be provided in the Encryption Services feature in V1.2. Note that the functions and services supported by the Encryption Facility for OpenPGP format are not compatible with the functions and services of the Encryption Facility System z format. Both the Java-based Client and Decryption Client for z/OS support the System z format only.

The Encryption Facility for OpenPGP format support will consume more CP than the Encryption Facility System z format support. It can be configured to leverage multiple CPs via increased parallel processing. The impact of the increased CPU utilization for the Encryption Facility for OpenPGP format support can be reduced with the introduction of zAAP processors. Since the OpenPGP format support is written in Java, all of the workload will be zAAP processor enabled and eligible. Thus for certain configurations, such as four or more online CPUs, the OpenPGP support's elapsed time for a task may compare favorably to that of the Encryption Facility System z format support.

In summary, both formats can use the same z/OS centralized key management and allow the use of public/private key pairs or passphrases to help secure the data exchange between partners. Using the Encryption Facility System z format is likely more suitable for data exchanges when System z processor activity is a key consideration. Using the Encryption Facility OpenPGP format may be better suited when operability with your business partners is a key consideration. You will want to review the business partner data exchange options with your business partners to determine the most suitable options.

Recent Encryption Facility Updates:

A new command, -compress, is added that compresses data in the OpenPGP message format without having to also encrypt or sign the data

zEDC HW Accelerated Compression

With PTF UA72250, Encryption Facility for z/OS has been enhanced to support zEnterprise Data Compression (zEDC) for OpenPGP messages. zEDC will be used for compression when a zEDC feature is available on the system and when using IBM 31-bit SDK for z/OS, Java Technology Edition, Version 7 Release 1 or later, with z/OS 2.1

Machine Requirements

IBM Encryption Facility for z/OS Version 1.2 runs on System z mainframes that are currently in service. As System z mainframe processor levels go out of service, Encryption Facility will no longer be supported with those levels and the user must upgrade to a level that is still in service.

Software Requirements

IBM Encryption Facility has the following software requirements:

z/OS

IBM 31-bit SDK for z/OS, Java Technology Edition

Integrated Cryptographic Services Facility (ICSF)

The minimum service levels for these software programs are V1.12 (5694-A01) or later for z/OS, V6 (5655-R31) or later for IBM 31-bit SDK for z/OS, and FMID HCR7770 or later for Integrated Cryptographic Services Facility. As service levels for each software program go out of service, Encryption Facility will no longer be supported with those levels and the user must upgrate to a service level that is still in service.